24 April 2016

Has State-Sponsored Hacking Lost Its Luster in China?

One of the most surprising recent moments in U.S.-China relations arrived last September in Washington D.C. when Barack Obama and Chinese President Xi Jinping told reporters they’d reached a deal to end state-supported hacking of corporate records for economic benefit.

Why would China agree to give up an activity that appeared to have been a crucial part of its economic strategy? Based on recent observations of Chinese hacking activity and the country’s recent economic plans, analysts at U.S.-based cybersecurity firm FireEye have a provocative theory: that Mr. Xi accepted the pact in part because Chinese officials had already begun to sour on conventional cybertheft.

The basis for the theory, says William Glass, a threat intelligence analyst at FireEye, is the economic vision outlined in China’s recently released 13th Five-Year Plan and other development blueprints. Those plans call for China to evolve beyond being the world’s factory by building up advanced industries like artificial intelligence, biotechnology and online services that require a high-level of human skill and creativity in addition to technology.

While stealing and copying foreign designs makes sense in many conventional industries, Mr. Glass says, “for something that’s more complex or advanced, simply replicating what you steal through cyberespionage is maybe not as useful.”

Rather than hack foreign firms, he adds, Chinese companies “might decide they are better off partnering with foreign firms, or even acquiring them outright.”

Mr. Glass’s hypothesis comes amid feverish Chinese M&A activity and increased pressure on foreign companies in China to cooperate with local partners in exchange for market access. The total value of Chinese-led purchases of U.S. companies hit $23 billion by mid-February this year, breaking the full-year record of $20.5 billion set in 2015. Those figures don’t count failed deals, like a rejected Chinese bid for Fairchild Semiconductor, or cooperative projects involving the likes of IBM and Qualcomm.

And while the picture is still murky, some government officials and security firms say Chinese state-sponsored hacking groups — also known as advanced persistent threat, or APT, groups — have cut back their activities. U.S. Director of National Intelligence James Clapper told Congress in March there had been “some reduction” in Chinese hacking. FireEye, meanwhile, says that none of the 22 Chinese APT groups it tracks are actively attacking U.S. companies.

Many analysts believe Mr. Xi agreed to last September’s deal because he was spooked by the threat of U.S. sanctions against Chinese companies that have benefited from cybertheft. That doesn’t necessarily conflict with Mr. Glass’s theory. If Beijing sees fewer benefits from hacking, then it would be even less willing to face the risk of sanctions.

None of this means Chinese hacking will stop, Mr. Glass says: Instead, hackers might instead start stealing financial and other information that could help companies in M&A negotiations.

In the past several years, FireEye tracked China-based hacking efforts aimed at two companies that were reportedly talking about a merger, he says. The security firm also discovered Chinese hacking activity at a company where executive emails, financial statements and insurance policies were stolen.

In the latter case, Mr. Glass says, an acquisition eventually was completed, “though we do not know the impact the stolen material had on the merger decision-making.” He didn’t identify the companies or where they were located.

The theory has its skeptics. With Chinese economic growth slowing, it’s reasonable to assume state-sponsored hackers would want to grab as much intellectual property as they can, not just deal-related information, says Adam Segal, an expert on China and cybersecurity at the Council on Foreign Relations.

Hacking for M&A would also require a high-level of understanding of markets on the part both of those directing the attacks and the operators rummaging around inside a company’s systems, according to Mr. Segal. “Maybe there are lots of unemployed MBAs now working for the People’s Liberation Army, but wouldn’t that be something the intelligence community could track?” he says.

On Tuesday, the company announced the launch of a new “rapid service” for M&A deals that, according to a press release, can help companies assess “the level of cyber security risk present in the acquisition that could drive decisions.” A FireEye spokesman said the company has seen M&A-related attacks for some time, including from an English-speaking group it identified targeting Wall Street in 2014.